The-Accountant-Sep-Oct-2017-Final
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
PEN OFF<br />
INSIDER THREATS<br />
Is your organization protected?<br />
By FCPA Jim McFie, a Fellow of the Institute of Certified Public <strong>Accountant</strong>s of Kenya<br />
In December 2016, in a seminar at<br />
a hotel in Nairobi, IBM made a<br />
presentation to persons interested in<br />
cyber security; IBM has developed<br />
software that enables banks to<br />
protect themselves against hackers outside<br />
the bank. However, this software does not<br />
protect the bank from insiders. Some days<br />
before that seminar, another computer<br />
software company had presented security<br />
solutions at a workshop; a lady who works<br />
in a bank stated that all young people<br />
who join the bank for which she is the<br />
security officer were involved in stealing:<br />
this is probably an exaggeration: but<br />
today, it is often as important to defend<br />
the organization from staff as it is against<br />
outsiders; and this is the case world-wide.<br />
An insider threat is generally defined as<br />
a current or former employee, contractor,<br />
or other business partner who has or had<br />
authorized access to an organization’s<br />
network, system, or data and intentionally<br />
misused that access to negatively affect<br />
the confidentiality, integrity, or availability<br />
of the organization’s information or<br />
information systems. But often, even<br />
honourable and honest employees can<br />
cause an organization loss of one form or<br />
another.<br />
Building a culture of cyber security<br />
awareness starts at the top. Boards of<br />
directors and C-level executives need<br />
to understand that they ignore cyber<br />
security at their peril and that their<br />
communications to employees about<br />
this topic are a vital piece in building a<br />
security culture. In a recent survey in<br />
the US of IT security executives, 38%<br />
of enterprises reported that their Board<br />
encourages an organizational culture of<br />
information security by identifying and<br />
communicating key risks to employees.<br />
37% reported that Board participation<br />
led to an increase in information<br />
security program funding. <strong>The</strong> Board’s<br />
involvement makes a difference, and<br />
Board members need to understand<br />
this. With 43% of CEOs seeing cyber<br />
security as a top business risk, the tides<br />
are certainly shifting.<br />
Recent widely publicized security<br />
breaches have certainly contributed to<br />
this mindset. It is important to build on<br />
this awareness by making education a<br />
priority at every level, keeping executives<br />
informed about IT security issues and<br />
making them understand their role in<br />
helping to educate and inform employees.<br />
Cybercriminals do not care about the<br />
size of the entity they attack. Why? If a<br />
small entity has access to the data of a<br />
large enterprise, the small organization<br />
becomes a prime target. In many cases,<br />
small businesses act as customers of<br />
or suppliers to large enterprises and,<br />
therefore, have access to sensitive insider<br />
information. Many small businesses<br />
do not have the time or resources<br />
to combat security threats. As large<br />
enterprises continue to build up their<br />
security perimeter and educate their<br />
employees about what to avoid, smalland<br />
medium-sized enterprises are even<br />
more susceptible to cybercriminals who<br />
are looking at the whole marketplace for<br />
areas of vulnerability. By building a multilayered<br />
security strategy that takes into<br />
66 september - october <strong>2017</strong>